DRAG DROP
You have an Exchange Server 2013 organization that contains several custom RBAC management
roles.
You need to identify which RBAC scopes must be used to meet the following requirements:
• Manage only the mailboxes of the users in the sales department.
• Manage the properties of all the mailbox databases.
Which RBAC scopes should you identify? (To answer, drag the appropriate RBAC scopes to the
correct requirements. Each RBAC scope may be used once, more than once, or not at all. You may
need to drag the split bar between panes or scroll to view content.)
Explanation:
http://technet.microsoft.com/en-us/library/dd335146(v=exchg.150).aspx
Management role scopes enable you to define the specific scope of impact or influence of a
management role when a management role assignment is created.
When you apply a scope, the role assignee assigned to the role can only modify the objects
contained within that scope.
A role assignee can be a management role group, management role, management role assignment
policy, user, or universal security group (USG)
Every management role, whether it’s a built-in role or a custom role, has management scopes.
Management scopes can be either of the following:
Regular
A regular scope isn’t exclusive. It determines where, in Active Directory, objects can be viewed or
modified by users assigned the management role. In general, a management role indicates what you
can create or modify, and a management role scope indicates where you can create or modify.
Regular scopes can be either implicit or explicit scopes, both of which are discussed later in this
topic.
ExclusiveAn exclusive scope behaves almost the same as a regular scope. The key difference is that it enables
you to deny users access to objects contained within the exclusive scope if those users aren’t
assigned a role associated with the exclusive scope. All exclusive scopes are explicit scopes, which
are discussed later in this topic.
Scopes can be inherited from the management role, specified as a predefined relative scope on a
management role assignment, or created using custom filters and added to a management role
assignment.
Scopes inherited from management roles are called implicit scopes while predefined and custom
scopes are called explicit scopes.
Implicit scopes are the default scopes that apply to a management role type. Because implicit scopes
are associated with a management role type, all of the parent and child management roles with the
same role type also have the same implicit scopes.
Implicit scopes apply to both built-in management roles and also to custom management roles.
Implicit scopes defined on management roles
Implicit scopes Description
Organization If Organization is present in the role’s recipient write scope, the role can create or
modify recipient objects across the Exchange organization.
If Organization is present in the role’s recipient read scope, roles can view any recipient object across
the Exchange organization.
This scope is used only with recipient read and write scopes.
MyGAL If MyGAL is present in the role’s recipient write scope, the role can view the properties of
any recipient within the current user’s global address list (GAL).
If MyGAL is present in the role’s recipient read scope, the role can view the properties of any
recipient within the current GAL.
This scope is used only with recipient read scopes.
Self If Self is present in the role’s recipient write scope, the role can modify only the properties of the
current user’s mailbox.
If Self is present in the role’s recipient read scope, the role can view only the properties of the
current user’s mailbox.
This scope is used only with recipient read and write scopes.
MyDistributionGroups If MyDistributionGroups is present in the role’s recipient write scope, the role
can create or modify distribution list objects owned by the current user.
If MyDistributionGroups is present in the role’s recipient read scope, the role can view distribution
list objects owned by the current user.
This scope is used only with recipient read and write scopes.
OrganizationConfig If OrganizationConfig is present in the role’s configuration write scope, the role
can create or modify any server or database configuration object across the Exchange organization.
If OrganizationConfig is present in the role’s configuration read scope, the role can view any server
or database configuration object across the Exchange organization.
This scope is used only with configuration read and write scopes.
None If None is in a scope, that scope isn’t available to the role. For example, a role that has None in
the recipient write scope can’t modify recipient objects in the Exchange organization.
Explicit scopes are scopes that you set yourself to control which objects a management role can
modify. Although implicit scopes are defined on a management role, explicit scopes are defined on a
management role assignment.
This enables the implicit scopes to be applied consistently across all management roles unless you
choose to use an overriding explicit scope. For more information about management role
assignments, see Understanding Management Role Assignments.Explicit scopes override the implicit write and configuration scopes of a management role. They
don’t override the implicit read scope of a management role. The implicit read scope continues to
define what objects the management role can read.
Explicit scopes are useful when the implicit write scope of a management role doesn’t meet the
needs of your business. You can add an explicit scope to include nearly anything you want as long as
the new scope doesn’t exceed the bounds of the implicit read scope. The cmdlets that are part of a
management role must be able to read information about the objects or containers that contain
objects for the cmdlets to create or modify objects. For example, if the implicit read scope on a
management role is set to Self, you can’t add an explicit write scope of Organization because the
explicit write scope exceeds the bounds of the implicit read scope.
The OrganizationConfig implicit scope
If OrganizationConfig is present in the role’s configuration write scope, the role can create or modify
any server or database configuration object across the Exchange organization.
If OrganizationConfig is present in the role’s configuration read scope, the role can view any server
or database configuration object across the Exchange organization.
CAN MANAGE THE PROPERTIES OF ALL OF THE MAILBOX DATABASES.
The Self Implicit Scope If Self is present in the role’s recipient write scope, the role can modify only
the properties of the current user’s mailbox.
If Self is present in the role’s recipient read scope, the role can view only the properties of the
current user’s mailbox.
CANNOT BE SELF AS IT PERTAINS TO ONLY THE PARTICULAR USER’S MAILBOX
The Organization relative scope
If Organization is present in the role’s recipient write scope, the role can create or modify recipient
objects across the Exchange organization.
If Organization is present in the role’s recipient read scope, roles can view any recipient object across
the Exchange organization.
This scope is used only with recipient read and write scopes.
NOT MEANT FOR MANAGING MAILBOX DATABASES
A recipient is any mail-enabled object in the Active Directory directory service to which Exchange can
deliver or route messages.
In Microsoft Exchange recipients are comprised of mailbox users, mail-enabled users, mail contacts,
distribution groups, security groups, dynamic distribution groups, and mail-enabled public folders.
The Recipient filter explicit scope
Recipient filter scopes use filters to target specific recipients based on recipient type or other
recipient properties such as department, manager, location, and more.
CAN TARGET THE USERS IN THE SALES DEPARTMENT